Beruflich Dokumente
Kultur Dokumente
Evaluation Guide
Installation and Basic Configuration
SGN version 7.0
Contents
1 Your evaluation................................................................................................................................... 4
1.1 Contacts ....................................................................................................................................... 4
2 Installation and initial configuration ................................................................................................. 5
2.1 Prepare for installation ............................................................................................................... 5
The Server .............................................................................................................................................. 5
Clients ...................................................................................................................................................... 5
Infrastructure ........................................................................................................................................... 6
2.2 Infrastructure Installation ........................................................................................................... 6
2.2.1 Prepare the Server ..................................................................................................................... 7
2.2.2 Install SafeGuard Enterprise ..................................................................................................... 8
2.2.3 IIS SSL Configuration ............................................................................................................... 12
2.2.4 Remember to ensure that clients trust the self-signed certificate ..................................... 16
2.2.5 Finalize SGN infrastructure ..................................................................................................... 16
3 Configuration of SafeGuard Enterprise ........................................................................................ 21
3.1 Build basic machine policies ................................................................................................... 21
3.1.1 Modify the Default Policy group .............................................................................................. 21
3.2 Build default file encryption policies ....................................................................................... 25
3.2.1 Create File Policy group, ......................................................................................................... 25
3.3 Assigning Policies ..................................................................................................................... 31
3.3.1 Quick review of how to assign policies .................................................................................. 31
3.3.2 Assigning the Default Policy group ........................................................................................ 31
3.3.3 Assign the Default File encryption policy group ................................................................... 32
4 Client Installation .............................................................................................................................. 33
2
Evaluation Guide Installation and Basic Configuration
3
SafeGuard Enterprise Encryption Suite
1 Your evaluation
Thank you for your interest in the Safeguard Enterprise Encryption Solution.
This guide is designed to guide you through the installation, basic configuration and testing of the
SafeGuard Enterprise solution.
The guide itself will be provided in two parts. This first part will cover the installation and basic
configuration of the SafeGuard Enterprise Encryption Solution (SGN). Following through each
step in turn will ensure you have a functioning SGN infrastructure and understand the basic
installation process for SGN clients, allowing you to see how encryption can help your
organization meet its compliance requirements.
1.1 Contacts
Your account team is here to support you as you go through the evaluation process, for your
convenience our contact details are below:
Account Manager
Engineer
In addition we have included links to a number of informative articles and other useful resources
at the end of this document.
4
Evaluation Guide Installation and Basic Configuration
The Server
1. A fresh Windows Server 2012 R2, 4GB RAM, 10GB free disk space and two cores. This can be a
virtual server.
2. The system must be properly instantiated in DNS, we want the FQDN to be accurate before
starting this process.
3. Prior to following the installation instructions below ensure that the server has been updated
with any Windows service packs or updates.
4. Ensure that the server is able to reach a domain controller if we want to use AD synchronization;
this can be done via LDAP or LDAP/s.
5. The server must have Internet connectivity and be able to reach the Microsoft Update site.
Clients
For testing the SafeGuard solution, please provide up to 5 test devices that are indicative of
those used in the field. It is recommended that these not be production devices during the initial
test phases.
If testing the native encryption management on Windows, please ensure that the TPM has
been initialized and that Windows was installed with the system partition.
While supported for the purpose of this test, Mac clients should not have FileVault enabled.
5
SafeGuard Enterprise Encryption Suite
Infrastructure
1. Create a directory on your server labeled SGN Files. You will use this directory when exporting
files or saving configurations.
2. Share this directory, so it will be available to your test clients. Client software will be placed here
in later steps for client installation.
3. In addition, create a shared directory and name it Corporate share. It will be used for file
encryption testing later.
6
Evaluation Guide Installation and Basic Configuration
2. Once you see a check box next to a step, select the next one. You may already have steps
checked off depending on the preparations you were able to make prior to beginning your
testing.
Once this section is completed, IIS will be installed and ready for configuration, and you will have
created a local database server using MSSQL2012. (Note: In a production environment you could
use an existing SQL server).
7
SafeGuard Enterprise Encryption Suite
2. When you are ready, select the check box I accept the license agreement and click Start
installation. You will see the installation of the SafeGuard server and management center.
3. When they have completed, the SafeGuard Management Center Wizard will launch and the
initial configuration will begin.
The SQL server information has already been carried over from the earlier step.
8
Evaluation Guide Installation and Basic Configuration
4. Click Next until you reach the Security Officer Data screen.
5. At this screen, create a master set of login credentials. This Master Security Officer will
authenticate based on the certificate created here. Enter a name for the User, and then select
Create. At this point, the Create MSO Certificate screen will appear.
6. At the Create MSO Certificate screen, enter a password for new certificate store. The password
you enter here will be used to log into the SG management console. This password protects the
certificate store. The certificate you create here will be imported into that store.
9
SafeGuard Enterprise Encryption Suite
7. Click OK.
8. The Export certificate dialog is displayed. Enter a password that will be used to access the
certificate. In a production environment this MSO certificate, the password and a backup of the
SafeGuard database will allow the rebuild of an SGN environment in the event of a disaster
recovery situation.
10
Evaluation Guide Installation and Basic Configuration
9. Click OK. Save the certificate to the SGN Files directory created earlier.
10. The next screen is the Company Certificate screen. The Create a new company certificate
option is already selected.
11. Enter a company identifier into this field. The certificate created will be used as part of the SGN
security system to bind clients to this particular environment. This will ensure that a client
cannot be moved from one SGN environment to another.
12. At the bottom of the screen we have the choice to select SHA-1 or SHA-256. If you have any XP,
Vista or Windows 7 clients that will need to be protected choose SHA-1, if not SHA-256. For the
purpose of this test environment, choose SHA-1.
11
SafeGuard Enterprise Encryption Suite
The SafeGuard Management Center Wizard will update the SafeGuard Database and log you into
the SafeGuard Management Center.
12
Evaluation Guide Installation and Basic Configuration
2. Select the server on the left hand side and then select the Server Certificates icon.
13
SafeGuard Enterprise Encryption Suite
4. The System will now prepare a certificate. The certificate will be issued to the server you are
working on. You will be prompted to enter a friendly name for the certificate. For simplicity,
enter the Fully Qualified Domain name (FQDN) of the machine server. This certificate will be
validated by SafeGuard clients and must be correct. If there are any concerns with DNS, please
resolve before proceeding any further.
5. When you click OK, you will be brought back to the Server Certificates screen and you will see
the certificate listed:
Take time to confirm that the Issued To name matches your FQDN in DNS. If not, you will want
to make sure that the DNS record matches.
14
Evaluation Guide Installation and Basic Configuration
3. Follow the export wizard. When prompted, do not export the key. When saving, name the file
SGNSSLcert and save into the SGN Files directory created earlier.
15
SafeGuard Enterprise Encryption Suite
1. On the left hand side of the IIS screen, expand Sites and choose Default Web Site.
16
Evaluation Guide Installation and Basic Configuration
17
SafeGuard Enterprise Encryption Suite
5. A line entry for your server will now appear in your Configuration package tool screen. Select
the Scripting allowed and Win. Auth. WHD Check boxes.
18
Evaluation Guide Installation and Basic Configuration
7. On this tab, highlight the server. Then choose the SGNFiles directory in the Configuration
Package output path field.
9. A package with the name <ServerFQDN>.msi will be created in the SGNFiles directory.
This configuration package was built using the machine certificate specific to the SGN server you
installed. It contains the necessary information for the server to connect to the SQL database and
become part of your SGN environment. Remember every server package is unique.
19
SafeGuard Enterprise Encryption Suite
4. The second Managed Client (Default).msi configures clients and Management centers to
communicate with the SGN server.
5. Run the Server configuration MSI (FQDN.MSI).
6. When complete, run the Managed Client (Default).msi.
7. When prompted, reboot the system.
20
Evaluation Guide Installation and Basic Configuration
2. Select Check Connection and then Invoke. At this point, the SafeGuard website will impersonate
a client connecting to the server. You should then see the following results page:
21
SafeGuard Enterprise Encryption Suite
22
Evaluation Guide Installation and Basic Configuration
4. When finished, select Save in the top left-hand side of the Management Center.
Now make a few changes to the policy items that make up this default group. These settings will
provide you with the ability to test some of the most common use cases.
5. Select each policy item listed below and make the changes to the values as described.
6. Click Save when moving between the items.
23
SafeGuard Enterprise Encryption Suite
24
Evaluation Guide Installation and Basic Configuration
This policy will enable encryption on all supported encryption engines: Microsofts Bitlocker
encryption, Apples FileVault 2 and Sophos SafeGuard.
25
SafeGuard Enterprise Encryption Suite
When you have the themes you wish to test, review the local self help parameters.
The first number represents the number of questions a user must answer for this feature to be
available.
The second is the number they must answer to recover the system.
3. Choose the numbers that reflect your organizations requirements, for example, six to activate
and three to recover.
4. Click Save.
You have set up the basic policies required to test Full disk encryption. Now you can do one of
the following:
Skip the next section and go to section 3.3, Assigning Policies, assign these policies, and then
install the client software to begin testing.
Continue to the next section and prepare the file encryption policies before moving to the
client.
26
Evaluation Guide Installation and Basic Configuration
6. Save.
In the next step, we will make a few changes to the policy items that will make up this default
group. These settings will provide you with the ability to test some of the most common use
cases.
7. Select and expand Policy Items.
8. Select each policy item listed below and make the changes to the values as described.
27
SafeGuard Enterprise Encryption Suite
28
Evaluation Guide Installation and Basic Configuration
29
SafeGuard Enterprise Encryption Suite
In the Path column, type \\FQDN_of_server\Corporate Share. Please remember that the Mac
client will be case sensitive, so be careful here.
Select the Key column and add the Root_Root@SGN key as before in the Removable Media
Encryption section.
30
Evaluation Guide Installation and Basic Configuration
3. Click Save.
4. Click Save.
31
SafeGuard Enterprise Encryption Suite
32
Evaluation Guide Installation and Basic Configuration
You will notice the default policy group is listed in the top box of this section, while underneath
there are two lines: .Authenticated Computers and .Authenticated Users, the everyone and
everything groups for SGN. The Default policy is targeted at our computers, so the first step is
to remove the .Authenticated Users entry.
4. Right-click on .Authenticated Users.
5. Select Remove.
6. Save.
With the policies tab of Root selected, your screen should now look like this:
33
SafeGuard Enterprise Encryption Suite
We will now move to the installation of the SafeGuard software. We will need to complete the
Windows client installations before finalizing our Mac File encryption policies.
4 Client Installation
4.1 Preparation
Here we will create directories that can be access from you test clients via the network share set
up earlier. You will only need to follow the steps that apply to your planned POC.
34
Evaluation Guide Installation and Basic Configuration
5. Copy Client installers x64\ SGNClient_x64.msi to SGN Files\ SGN Windows Client\
Copy Client installers x64 (SGN 6.0.1)\ SGNClient_x64.msi to SGN Files\ SGN Windows Client
old\
Copy Client installers x86 (SGN 6.0.1)\ SGNClient.msi to SGN Files\ SGN Windows Client old\
35
SafeGuard Enterprise Encryption Suite
36
Evaluation Guide Installation and Basic Configuration
8. Click Finish.
9. Click OK.
37
SafeGuard Enterprise Encryption Suite
38
Evaluation Guide Installation and Basic Configuration
39
SafeGuard Enterprise Encryption Suite
40
Evaluation Guide Installation and Basic Configuration
41
SafeGuard Enterprise Encryption Suite
42
Evaluation Guide Installation and Basic Configuration
43
SafeGuard Enterprise Encryption Suite
By Default the SafeGuard enterprise environment is only licensed for 5 test machines. Do not
install more than 5 machines without first checking with your account team. Installing more than
5 systems can cause the system to stop providing policy updates to clients.
44
Evaluation Guide Installation and Basic Configuration
45
SafeGuard Enterprise Encryption Suite
10. Select the other options. In this example we will select all file encryption options. Choose those
you wish to test. You can always modify the installation later to add or remove file encryption
options.
46
Evaluation Guide Installation and Basic Configuration
12. Once the installation has completed, you will see a confirmation screen explaining which
modules have been installed.
47
SafeGuard Enterprise Encryption Suite
At the login screen a new Icon will be visible. This icon allows users to log into SGN and Windows
with a single prompt. If you switch user, please ensure you use a login option with this icon; if
you do not a second prompt will occur at the desktop asking the users to log into SafeGuard.
After logging in at the Windows prompt you will see a pop up on you screen as SGN attempts to
connect to the server. These pop-ups can be suppressed for production, but for the purpose of
our testing these are left enabled.
When the client has communicated with the server policies and user credentials will be delivered
to the system. As policies are configured you will see immediate changes or prompts on the
system. These will be discussed further under the test cases.
48
Evaluation Guide Installation and Basic Configuration
8. When done with the readme run the Sophos SafeGuard DE.pkg
9. Click Continue and then review the License agreement. Click Continue when ready.
49
SafeGuard Enterprise Encryption Suite
10. Click Install on the next screen, and when prompted enter your credentials.
11. A number of screens will appear with a progress bar, when completed you will see a final thank
you screen.
50
Evaluation Guide Installation and Basic Configuration
12. With the installation completed go to the System preferences and open the Sophos encryption
Icon seen at the bottom of the screen.
51
SafeGuard Enterprise Encryption Suite
15. Now take the Managed Client (Default). Zip and drag it to the location indicated in the middle of
the screen.
52
Evaluation Guide Installation and Basic Configuration
16. When prompted, enter your password to update the local system.
17. The SafeGuard Client is now configured to communicate with your SGN server.
18. As policies are configured for encryption, you will be immediately prompted to enter your
password. This will be your user password and will allow you to log in at POA. At this point the
client system will upload the recovery key to the SGN server and restart.
53
SafeGuard Enterprise Encryption Suite
54
Evaluation Guide Installation and Basic Configuration
19. After the reboot, the power-on authentication screen will prompt for credentials (as entered
before the reboot) and the user will be signed on to the system and desktop will load.
55
SafeGuard Enterprise Encryption Suite
7. When done with the Readme, launch the Sophos SafeGuard FE.pkg
56
Evaluation Guide Installation and Basic Configuration
Once the installation has completed, you will notice a new icon on the system. This provides
access to the same console as the DE client. Select this and open the Sophos Encryption
preferences.
9. Select Server.
57
SafeGuard Enterprise Encryption Suite
10. Click Synchronize, if you have not already you will be prompted for your Mac OS X password.
11. You may now select the user tab. This will display details about your user and how it is identified
by SafeGuard.
12. The Keys tab shows you the key ring provided SGN.
58
Evaluation Guide Installation and Basic Configuration
13. Selecting policies and clicking on the SafeGuard icon next to Policy view will show you what
policies have been delivered.
59
SafeGuard Enterprise Encryption Suite
5 Further information
5.1 White Papers and Guides
These sources will provide you with further guidance around encryption, from choosing a product to the
concerns addressed by encryption.
Encryption Buyers guide
Regulations and Standards: Where encryption applies
Gartner Magic Quadrant
Tolly report on Safeguard Enterprise and the cost of Full Disk Encryption:
Managing Bitlocker with Safeguard Enterprise, a quick read covering some of the benefits of managing
the BL native encryption engine with Safeguard Enterprise
60
Evaluation Guide Installation and Basic Configuration
61